cyber security presentation to board of directors

Advanced Persistent Threats (APTs)
Cyber Attack
Data Breach
Insider Threat
Social Engineering
Supply Chain Attack
Vulnerability
DOWNLOAD REPORTS
REPORT OPPORTUNITIES
PUBLISH YOUR OWN REPORT
UPCOMING WEBINARS
ON-DEMAND WEBINARS
Marketing Kit

Exploring SASE and SSE Roadmaps with the Two Taylor Swifts of…

Hot topic customers targeted by credential stuffing attacks, meet the phishing service platform named darcula, threathunter.ai halts hundreds of attacks in the past 48 hours: combating….

Expert Insights & Resources
Expert Commentary
How-To Guide

CISO’s Guide to Presenting Cybersecurity to Board Directors

Seasoned CISOs/CSOs understand the importance of effectively communicating cyber risk and the need for investment in cybersecurity defense to the board of directors. To ensure cybersecurity becomes a strategic part of the corporate culture, it is crucial for CISOs to present the topic in a clear, concise, and compelling manner. In this article, I will share my advice on best practices that can help CISOs successfully raise awareness and secure the necessary support from their organization’s board.

One key aspect of successful communication is understanding the business objectives and risk appetite of the organization. It is essential to align cybersecurity initiatives with these objectives in order to demonstrate the value they can bring to the company. The board should be presented with data-driven evidence of cyber risks and potential consequences, along with an overview on the return on investment (ROI) in cybersecurity defense. This will help bridge the gap between technical and business perspectives, fostering an environment where cybersecurity is taken seriously and becomes a strategic priority.

Another crucial element is to focus on quantifiable metrics and avoid using vague or overly technical jargon. Board members are not necessarily experts in cybersecurity, so it is important to present information in a way that is easily digestible and resonates with them. Utilize real-world examples, case studies, and industry benchmarks to drive home the importance of investing in cybersecurity defense and creating a culture where everyone plays a role in protecting the organization from cyber threats.

Understanding the Board’s Perspective

As a CISO, it’s essential to comprehend the board’s viewpoint when presenting cybersecurity initiatives. Board members are typically focused on the company’s overall strategic direction, financial performance, and risk management. Thus, it’s critical to align your cybersecurity presentation with their priorities.

First, understand what concerns the board members the most. This could range from potential financial losses due to cyberattacks to reputational damage resulting from a breach. According to a Board of Directors Cyber Attitudes report, board members are particularly interested in quantifiable metrics and risk assessments that provide an accurate view of the company’s cybersecurity posture.

Ensure that your presentation demonstrates the return on investment (ROI) of your cybersecurity initiatives. Highlight the correlation between robust cybersecurity measures and attaining the company’s business objectives – whether it’s reducing downtime or enhancing customer trust.

Lastly, establish a dialogue with the board and be prepared to address their questions and concerns. Regular communication keeps the board informed about the cybersecurity landscape and fosters a deeper understanding of the risks and strategies involved, ultimately making cybersecurity a strategic part of the corporate culture.

Developing a Clear Cybersecurity Strategy

As a CISO/CSO, creating and presenting a clear cybersecurity strategy to the board of directors is crucial in fostering awareness of cyber risks and encouraging investment in cybersecurity defense. A comprehensive approach encompasses aligning with business objectives, identifying key cyber risks, and setting priorities for investment.

Aligning with Business Objectives

One of the essential aspects of a successful cybersecurity strategy is to ensure that it aligns with your organization’s overall business objectives. This connection helps the board of directors to understand the significance of cybersecurity in achieving the company’s goals. Begin by:

Mapping cybersecurity initiatives to specific business objectives, such as increasing revenue or improving customer trust.
Demonstrating how a strong cybersecurity posture supports and enhances the organization’s competitive advantage.
Communicating the potential financial and reputational impact of cybersecurity incidents and how the strategy is designed to mitigate those risks.

Identifying Key Cyber Risks

In presenting a cybersecurity strategy, it is crucial to identify the key cyber risks facing your organization. A thorough assessment of these risks will enable the board to understand the need for investment in cybersecurity. When identifying key cyber risks, consider:

Current and emerging threat landscape in your industry.
Vulnerability assessments highlighting areas where your organization’s defenses may be lacking.
Regulatory and compliance considerations, including potential fines and penalties for non-compliance or data breaches.
Assessing your organization’s cybersecurity maturity and identifying areas in need of improvement.

Setting Priorities for Investment

With a clear understanding of the business objectives and key cyber risks, the next step is to prioritize investment in cybersecurity initiatives. Highlighting the most significant risks and potential impact will help the board to allocate resources wisely. When setting priorities for investment, take into account the following:

Cost-benefit analysis of different cybersecurity initiatives, considering factors such as potential risk reduction and return on investment.
Urgency and scalability of identified risks, with a focus on addressing high-priority issues without delay while keeping future growth and evolving threats in mind.
Alignment with industry best practices and security benchmarks and compliance standards to demonstrate commitment to a strong cybersecurity posture.
Identifying appropriate metrics to track progress and success, allowing the board to monitor the effectiveness of cybersecurity investments.

By developing a clear cybersecurity strategy that aligns with business objectives, identifies key cyber risks, and sets priorities for investment, you will be in a better position to communicate the importance of cybersecurity to the board of directors and foster a cyber-aware corporate culture.

Effective Communication with the Board

Effective communication is a crucial aspect of delivering a successful cybersecurity presentation to the board of directors. By considering the following strategies, you can ensure that your message is both clear and impactful.

Using Clear and Concise Language

It is essential to avoid over-technical security language when speaking with the board. Instead, use layman terms and familiar analogies that board members can grasp quickly. This approach will help them understand complex security concepts and make informed decisions without being overwhelmed by technical jargon. Examples of simple language include:

Referring to “malware” as “malicious software” or “harmful programs”
Using “data breach” instead of “unauthorized access to sensitive information”

These adjustments will make your communication more accessible and enable board members to grasp the importance of cybersecurity risk management.

Visualizing Cybersecurity Data

Visual aids can support your message and enhance comprehension among board members when presenting cybersecurity data. Using charts, graphs, and other visual elements helps to highlight trends, patterns, and vulnerabilities within your company’s cybersecurity landscape. For example, you may consider using:

Pie charts to represent the proportion of various types of cyber threats faced by the organization
Line charts to indicate the growth or decline of security incidents over a specific period

These visualizations help board members to better understand complex data, making it easier for them to engage with your presentation and make well-informed decisions.

Connecting Cyber Risks to Business Impact

For a cybersecurity presentation to resonate with board members, it’s crucial to relate cyber risks directly to the organization’s business objectives and overall strategy. By showcasing the potential financial, operational, and reputational impacts of a cyber incident, you can drive home the significance of cybersecurity in sustaining long-term business success.

Some ways to relate cyber risks to business impact include:

Demonstrating the financial loss resulting from a data breach or ransomware attack
Highlighting how a cyber incident can affect client trust, leading to a loss of customers and market share
Stressing the importance of compliance with industry regulations and the potential consequences of non-compliance

By connecting the cybersecurity discussion to tangible business impacts, you’re more likely to garner support for investment in cybersecurity initiatives and promote a security-centric corporate culture.

Building a Cybersecurity Culture

Creating a strong cybersecurity culture within the organization is essential for managing cyber risk effectively. As a CISO, it is your responsibility to ensure that every employee understands the importance of cybersecurity and their role in maintaining the company’s security posture. Here are three key areas to focus on:

Promoting Employee Awareness

First and foremost, emphasize the importance of employee awareness through tailored security training and awareness programs. The human factor is involved in more than 85% of data breaches, as noted in the 2021 Verizon Data Breach Investigations Report . To build a successful cybersecurity culture, make security awareness training engaging and rewarding, and encourage a growth mindset. This can be achieved by gamifying training sessions, providing incentives for participation, and recognizing employees who demonstrate positive security behaviors.

Leadership Involvement

Strong leadership involvement is necessary for fostering a cybersecurity culture from the top down. Encourage the board of directors and the top management to champion cybersecurity initiatives, and communicate the importance of cybersecurity to the entire organization. As a CISO, leading by example is crucial in demonstrating the commitment to cybersecurity to employees.

Continuous Improvement

Establish a continuous improvement process for your cybersecurity program by regularly reviewing and updating policies, procedures, and technologies. Involve employees in the process by encouraging them to provide feedback and report security incidents without fear of retaliation. Benchmark your cybersecurity performance against industry standards and objective metrics to identify areas of improvement and track progress over time.

By focusing on these three key areas, you can build a strong cybersecurity culture within your organization, which will ultimately help you raise awareness of cyber risk, gain the willingness of the board of directors to invest in cybersecurity defense, and make cybersecurity a strategic part of the corporate culture.

Measuring Success

As a successful CISO, measuring the success of your cybersecurity program is crucial to ensure continuous improvement and demonstrating the value of cybersecurity initiatives to the board of directors.

Using Key Performance Indicators

Establishing Key Performance Indicators (KPIs) can help quantify the effectiveness of your cybersecurity program. KPIs should be aligned with the organization’s overall objectives and risk appetite. Some examples of KPIs that you can use to measure the success of your cybersecurity efforts include:

Number of security incidents detected and resolved within a given period
Reduction in the duration of time to detect and respond to incidents
Percentage of employees completing security awareness training
Number of vulnerabilities identified and remediated

These KPIs should be presented to the board of directors in a clear and easy-to-understand manner. This will help them grasp the significance of the data and make informed decisions regarding cybersecurity investments and strategic priorities.

Conducting Regular Reviews

Regular reviews of your cybersecurity program are essential to measure its effectiveness and identify areas for improvement. Schedule periodic meetings with the board of directors to discuss the progress of your cybersecurity program, share KPI data, and address any questions or concerns that may arise. During these meetings:

Provide an overview of the current cyber threat landscape, specifically highlighting threats relevant to your industry and organization
Discuss any recent security incidents and the actions taken to mitigate them
Share insights on emerging technologies and best practices in the cybersecurity industry that could benefit the organization
Seek feedback from board members to ensure their input is incorporated into the ongoing development and refinement of your cybersecurity program

By regularly reviewing your cybersecurity program with the board of directors, you can help keep cybersecurity at the forefront of their decision-making, foster a culture of cyber risk awareness, and drive the necessary investments to strengthen your organization’s security posture.

2024 Security Service Edge Report [HPE]

2024 VPN Risk Report [HPE]

2024 Insider Threat Report [Securonix]

2023 Content Security Report [Votiro]

Block title.

EDITOR PICKS

Exploring sase and sse roadmaps with the two taylor swifts of..., the human-ai partnership: a guide towards secure coding, popular posts, list of countries which are most vulnerable to cyber attacks, top 5 cloud security related data breaches, top 5 pci compliance mistakes and how to avoid them, recent posts, cybersecurity news headlines trending on google, dark data helps boost business: unveiling hidden insights, what is innovative frictionless security.

Terms of Service
Advertise With Us
Internships

CISO Board Presentations: 9 Key Slides You Need

The end of the quarter is fast approaching and it’s time to put together your slide deck for the board meeting. Before you begin creating bulleted slides for all the projects your team is working on, take a moment to zoom out. What do your board of directors and C-suite colleagues really want to know?

Most executive leaders have 3 main questions about cybersecurity :

Where are we?
Where do we want to be?
How will we get there?

Answering these questions succinctly is no easy feat, so using a concise and simple narrative to guide your presentation is important. Your goal with this presentation is to help the Board meet its fiduciary duties. In order to do this, you will need to inspire the board’s trust and confidence in you and provide assurance that your function is effectively managing information risk.

4 Key Sections In Your Board Presentations

There are 4 key parts to your board presentation:

1. Summarize the last meeting and refresh your Board about your cybersecurity framework

Summarize the takeaways from the previous Board presentation. Follow-up on unresolved issues or any unanswered questions from the previous meeting. Refresh the Board on your security framework.

2. Present your risk dashboard and review events and changes in risk landscape

Update the Board on the overall risk landscape for your organization, including and notable events. Highlight risks that require immediate action. Present mitigation strategies and explain how the Board can help.

3. Review progress against your strategic Infosec roadmap

Present Infosec’s progress towards your strategic objectives that you presented earlier to the Board. Be Transparent about any setbacks and say how you are managing through these.

4. Review any special topic

Discuss any topics that fall outside the scope of the other agenda topics. For example, relevant topics include M&A activity, a data breach, etc.

You can download a powerpoint template that will help you organize your presentation to the board of directors. If you are a new CISO and presenting to your board for the first time, you should use a variation of this template which can be downloaded here .

“Automating” your board-level presentations

Sorry, can’t be done.

But we can help automate many of the KPIs you would like to report on. Balbix uses specialized AI to identify and prioritize your unseen vulnerabilities across 100+ attack vectors and help you mitigate these risk items. Balbix calculates risk, likelihood, and impact scores for every area of your business and provides intuitive visualizations for your presentations to the board and C-suite colleagues. You can get risk trends and to understand how you’re progressing on cyber risk and determine a clear action plan for improving your cybersecurity posture. With Balbix, the board presentation that would’ve taken weeks to complete can be completed in minutes.

Request a demo to learn more.

Network Security
Endpoint Security
Database Security
Security Management
Application Security
Content & Data Security
Threat Assessment & Recovery Services
Cyber Security Assessment Services
Managed Detection & Response Services
Cyber Security Consultancy Services
Cyber Essentials Certification
Information Assurance

CISO’s Guide to Presenting Cybersecurity to Board Directors

Cyber News , Hacks , News
March 24, 2024 March 24, 2024

Effective Communication with the Board

Successfully delivering a cybersecurity presentation to the board of directors relies heavily on effective communication. To ensure a powerful and easily understood message, it is important to utilize the following techniques: utilizing straightforward and brief language, presenting cybersecurity information in a visual manner, and connecting cyber threats to their impact on the business.

Using Clear and Concise Language

When speaking with the board, avoid over-technical security language. Instead, use layman terms and familiar analogies that board members can quickly comprehend. Examples of simple language include referring to “malware” as “malicious software” or “harmful programs” and using “data breach” instead of “unauthorized access to sensitive information”. These adjustments will make your communication more accessible and enable board members to grasp the importance of cybersecurity risk management.

Visualizing Cybersecurity Data

Charts, graphs, and other visual elements can help to highlight trends, patterns, and vulnerabilities within your company’s cybersecurity landscape. For example, pie charts can represent the proportion of various types of cyber threats and line charts can indicate the growth or decline of security incidents. These visualizations help board members to better understand complex data, making it easier for them to engage with your presentation and make well-informed decisions.

Connecting Cyber Risks to Business Impact

To make a lasting impact on board members, it’s important to relate cyber risks directly to the organization’s business objectives and overall strategy. Showcase the potential financial, operational, and reputational impacts of a cyber incident to emphasize the significance of cybersecurity in sustaining long-term business success. Demonstrate the financial loss resulting from a data breach or ransomware attack, highlight how a cyber incident can affect client trust, and stress the importance of compliance with industry regulations and the potential consequences of non-compliance.

Use clear and concise language when speaking with the board
Visualize complex cybersecurity data using charts and graphs
Connect cyber risks to business impact to emphasize the importance of cybersecurity

By considering these strategies when presenting to the board, you can ensure that your message is both clear and impactful.

OpenAI’s ‘upload file’ feature raises security concerns.
US State Dept. offers $10m reward for ALPHV/Blackcat ransomware leads.
Whale phishing targets high-profile individuals, spear phishing targets specific individuals.
SEC tweets: Security lapses caused account hack, we acknowledge responsibility.
Insecurity: Software bloat’s vulnerability.
1. “Major Retailer’s Data Breach Exposes Millions to Cybercriminals” 2. “Government Agency Targeted in Sophisticated Cyber Attack” 3. “Hospitals Paralyzed by Ransomware Attack; Patient Lives at Risk” 4. “Global Cyber Attack Shuts Down Critical Infrastructure Systems” 5. “Cyber Attack on Banking Sector Causes Billions in Financial Losses” 6. “Social Media Platform Suffers Massive Data Breach; User Privacy Compromised” 7. “Election Systems Hacked in Alleged Cyber Interference Attempt” 8. “Cyber Attack on Energy Grid Raises Concerns of Widespread Blackouts” 9. “Cyber Criminals Hijack Cryptocurrency Exchange, Millions in Assets Stolen” 10. “Online Retail Giant Falls Victim to Massive Cyber Fraud Scheme”
Sophos attains ISO 27001:2022 certification in a first-time accomplishment.
Schneier’s Future Talks

Our Network

Computerworld
Network World

Presenting the Business Case for Security to Your Board of Directors

IT and security leaders need to shift away from risk complexity conversations and toward alignment with business objectives.

By Jim Eckhart, Executive Security Advisor, Microsoft

In a landscape of evolving threats, cybersecurity is a critical discussion that must happen on a regular basis at the board level.

A favorite question that nearly all board members ask is: “Are we secure?” However, that’s a trick question because it entices a less-experienced security leader into a naïve answer: yes or no .

Board members want reassurance that risk is minimized, and that’s where the discussion must go. Risks cannot be eliminated entirely, so the focus should be on how to minimize them and to what extent. Minimizing risks does not only come at the additional cost of security investment and complexity of operations, but also at the expense of controls implemented within the business and the friction and loss of productivity that those controls might cause.

For this reason, it’s important for security leaders to shift the discussion from an IT-focused cybersecurity conversation to one of comprehensive digital risk management that addresses the complexity of securing core processes across the entire organization. In this article we will explore three different conversations that security leaders should have with their boards of directors on a continuous basis to align cyber-risk management with business objectives.

Building and Implementing a Risk-Driven Program

Gaining stakeholder alignment is a difficult process when deciding what the security program should look like. This is often due to the disagreement and misalignment found in the management chain, which leads to many CISOs feeling conflicted and ill-equipped to satisfy the competing priorities across the organization.

Our recommendation to combat these challenges is to introduce a risk-driven security program. This program generally yields the most comprehensive and business-aligned approach to cyber-risk management.

A risk-driven security program is a bonus for the security leader because the risk ownership is shared across all stakeholders, meaning that the whole organization is thinking broadly about risk. In addition, this program tends to offer more complete funding that may also sit outside of IT, which means you get a much broader funding source.

The next step is turning everyone involved into a believer. A good way to do this is to conduct risk identification (see the chart above), which helps everyone understand who the threat actors are, what they are after, and how they might attack your organization. This allows organizations to build a program based on the risks that everyone has agreed upon.

These risks can then be plotted on a risk heat map (see chart below), enabling organizations to align risk tolerance with maturity targets set at the onset of the program. This helps teams address “Are we secure?” with the answer: “We have managed our risk down to a residual risk level that all of the stakeholders agree our organization can tolerate.”

Explaining How You’re Continuously Improving the Program

Completing all of the necessary “homework” in this first conversation actually helps organizations establish a strategic approach to achieve target maturity. The second conversation then centers on explaining to the board of directors what you are doing to improve the security program in a way that everyone is in agreement.

When setting these strategies, it’s important to help leadership recognize that conventional security tools have not kept pace with the rapid increase and complexity of attacks, the increasingly complex regulatory landscape nor the complexity of increasingly-distributed IT infrastructures.

The strategy needs to include solutions that can deal with the broadness of the modern-day attack surface. Microsoft offers broad solutions that cover three transformational, platform-enabled shifts of Zero Trust , Modern SOC , and Compliance , helping organizations reduce the number of tools they deploy, which increases productivity, security, and agility. Once the strategy is understood and endorsed by the board, it’s often followed by action-oriented sentiments such as: “What prevents you from moving faster?” and “Are you adequately funded to address the risks of the organization?”

Assessing the Effectiveness of the Program

The third conversation to have with the board on a regular basis is around assessing and demonstrating the effectiveness of the program. There are a number of different ways to do this. One method to demonstrate executive engagement is to do tabletop exercises. These cross-functional exercises engage all levels of management and are an excellent way to test the effectiveness of the organization’s decision-making capability under duress, while also testing the prevent, detect and respond mechanisms of the cybersecurity program. Both the decision-making capabilities and the mechanisms of the security program have been tested time and time again in real life by those organizations that have been unfortunate to fall prey to real-world human-operated ransomware attacks.

Other areas to consider include conducting continuous red/blue/purple team simulations that detect organizations being attacked. Of course, the age-old staples of board discussions must continue to include insightful representations of workload posture management, workforce assessments such as training and information handling, as well as crucial operational metrics such as mean time to detect and recover.

Communicating security risk in business language while demonstrating that security is a business driver helps build confidence among the board of directors and executive leadership. Having these conversations continuously, while reinforcing the importance of resiliency, risk mitigation, and governance, allows organizations to better streamline their security stacks to add value, save on costs, and strengthen their overall security.

To learn more about communicating with boards on cyber risks, watch our recent webinar here .

Recruit for diversity: Practical ways to remove bias from the hiring process

The CSO guide to top security conferences

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

LockBit feud with law enforcement feels like a TV drama

How to present cybersecurity programs better to the board of directors

Samudhra Sendhil in conversation with Peyman Parsi , Board member, CIO Association of Canada

Published on January 31, 2024

Navigating conversations about cybersecurity can pose a delicate challenge for both CISOs and board members. CISOs often face the task of persuading the board to invest in cutting-edge and expensive cybersecurity programs. But sometimes, board members struggle with the idea of making improvements on systems that already seem to work. They want assurance that the money they’re asked to invest is going to the places that need it the most.

Discover how to enhance boardroom awareness of cyber risks, address third-party vendor concerns, and effectively align cybersecurity investments with broader business goals and risk tolerance. Plus, we’ll dive into strategies for extending your influence beyond the boardroom by engaging stakeholders and fostering a culture of cybersecurity, not just with board members, but throughout the organization.

Tune in to our podcast and learn how to navigate cybersecurity discussions with finesse and maintain the board’s confidence with actionable strategies.

What you’ll learn:

How to bridge the gap between technical intricacies and strategic decision-making

The insider threats and third-party vendor risks to profitability

Strategies for aligning cybersecurity investment roadmaps with business objectives

Tips for addressing FAQs and tricky questions in the boardroom

How to extend a culture of cybersecurity beyond the boardroom

cybersecurity
cybersecurity programme
cybersecurity strategy

Cancel reply.

Your email address will not be published. Required fields are marked *

Captcha − 3 = 6

IT Security

A brief history of cyber insurance and how to avoid coverage denial.

Cut through the hype around Zero Trust

The tapestry of trust: Weaving identity fabric into enterprise security

Become a Sponsor
Become a Speaker
Remote Sessions
Testimonials
Privacy Policy

How to Communicate Cybersecurity to the Board of Directors

CNN Analyst Col. Cedric Leighton (U.S. Air Force, Ret.) kicked off a recent SecureWorld web conference with a level-set on where cybersecurity stands on reporting to the board.

The board wants to know more about cybersecurity

The good news is that the board of directors wants to play a part.

"Your board wants to be active on this, but you have to help do some translation for them around cybersecurity and train them to some degree."

The challenge for security leaders is remembering that the board faces continuous inputs on cyber risk from many directions. It might be coming from other business leaders, the mainstream media, or even social media.

Part of the CISO role is to help the organization separate the wheat from the chaff to see how much of that information is correct and how much of it matters to the organization.

"I think you need to transform yourself into a sort of intelligence officer, where you have a clear understanding of threats and can present those," Leighton says.

This leads to an important question: When you report this intelligence to the board, do you know what they are looking for or care most about? You should, and it should inform how you approach things.

Cybersecurity reporting, each board is different

In a poll question during the web conference, attendees were asked what their boards care about when it comes to security. This was a multiple-choice question:

Mike Maziarz, Chief Marketing Officer of SecurityScorecard, says the results verify the idea that each board is different. Maziarz was the second presenter in the web conference.

What is a CMO doing on a cybersecurity web conference?

"If you wonder why the marketing guy is here, it's because my role is to share messages effectively over multiple channels, and I'm excited to share some of my insights when it comes to communicating with the board."

Strategies for communicating cybersecurity to the board

For starters, he says there are three key things to keep in mind:

1. Boards can't improve what they don't understand. 2. You can learn to speak their language. 3. You can unlock board engagement and better decision making with an easy to understand framework and related benchmarks.

Maziarz suggests going back to the basics as a starting point by reminding the board of the following:

Adversaries do not play by the rules.
A hacker's mindset is unique.
They're adopting tech faster than we are.
They'll usually attack the weakest link, not the lock.

And when you are in the room presenting to the board—or discussing security investment with your CFO, for example—try to see the question behind their question.

Another consideration: how well your message travels. How does it resonate through the C-suite to the boardroom even when you are no longer in the room?

Maziarz also shared the S.C.O.R.E. framework his CISO uses to present to the board. The acronym stands for Secrets, Climate, Observations, Ratings, and Employees.

Turning your cybersecurity mission into a story for the board

Mitch Parker, CISO at Indiana University Health, presented next in the web conference, and he says you must create a story for the board around security.

You should start by figuring out who your board members are and what they value individually, if possible.

"If you do not do your research, you will be eaten alive," says Parker.

He suggests following them on social media and looking at them on LinkedIn. Are they sharing or liking certain kinds of articles or posts that reveal their hot button issues? Whatever you say about security will be viewed through each board member's point of view.

Next, he says you must understand your organization and where the board of directors and your CEO want to take it. You can build your presentation on cybersecurity around those themes.

"You want to first talk about your core initiatives. Talk about the core initiatives that tie into the core missions and value to the organization. Talk about what they directly support, even though they might not be core to your mission, the core to the organization.

Talk about what they are, talk about how they fit, talk about the most important ones, because realistically, if you're working in security, you're part of every core issue, even if it's a minor part. And you've got to show your part of those core initiatives."

And here's another thing you can practice before any board presentation: Be ready to explain what your team does without mentioning tools or technical solutions, and be able to do this in about 30 seconds.

On-demand cybersecurity webinar: presenting to the board

Do you need to present cybersecurity to the board? Do you need to prepare your CEO or your CIO to do it? Watch this complimentary web conference (on demand) to make sure you are on track: Communicating Cybersecurity to the Board.

The web conference is full of actionable information you can implement immediately to prepare for your next critical presentation on cybersecurity.

Malvertising Is a Cybercrime Heavyweight, Not an Underdog

Hong Kong Clerk Defrauded of $25 Million in Sophisticated Deepfake Scam

Convergence: Putting the Responsibility Where It Should Lie

Subscribe to Email Updates

Boards and cybersecurity

The board agenda has been crowded since the start of the pandemic, and many issues have acquired new urgency. In this episode of the Inside the Strategy Room podcast, Frithjof Lund, the leader of our board services work, speaks with two cybersecurity experts about how boards of directors should help their organizations ensure they are prepared for potential cyberattacks. John Noble is the former director of the United Kingdom’s National Cyber Security Centre and a board member of NHS Digital, the national information and technology partner to the country’s National Health Service. Wolf Richter is a McKinsey partner who helps chief information officers (CIOs) capture the benefits and mitigate the risks of tech-enabled transformations. You can listen to the episode on Apple Podcasts , Spotify , or Google Podcasts .

Frithjof Lund: Cybersecurity has been on the board agenda for some time. In our latest global board survey, participants rated it among their top four priorities. However, when we ask board members about their key challenges today, only one in five mentions cybersecurity. Have you seen a shift in how companies are approaching this issue?

Wolf Richter: It used to be mainly the regulated industries—particularly banks and insurance companies, as well as utilities and public-sector entities on critical national infrastructure—that prioritized cybersecurity. After the WannaCry ransomware attack a couple of years ago, however, many others realized that even without being on the high-target list, they could fall victim to a cyberattack. Retailers and manufacturing companies in particular have become a lot more aware of the vulnerabilities that digitization brings to their operations. Now that working from home has become the norm, and given the massive increase in ransomware attacks that we are seeing, most companies realize how vulnerable they are in an environment where most of their business and employee interactions are conducted through online channels.

Frithjof Lund: You mentioned an increase in cyberattacks. What is driving it?

John Noble: There are two things. One is the change in the business model among the people carrying out these attacks. Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups. Those criminal groups can, in effect, lease the ransomware in exchange for a percentage of the profits and employ it against victims. That has enabled a massive increase in both the volume of attacks and their sophistication. Ransomware can not only affect the availability of your systems but also result in the release of sensitive data.

Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups. John Noble

Frithjof Lund: Are companies sufficiently prepared to handle this rising threat?

Wolf Richter: It’s a mixed bag. It is becoming apparent who has been thinking about cybersecurity systematically and who has just recently woken up and is starting to improvise. On the one hand, we have seen a massive acceleration in digitization as companies have moved their operations to the cloud and granted remote access to employees. Needless to say, very few had the time to think through the cybersecurity implications. On the other hand, those who have spent the past couple of years preparing—identifying their critical assets and processes, testing the procedures with employees, putting in place emergency plans and fallback scenarios—are seeing those investments pay off.

Frithjof Lund: What approach should boards take to this topic, especially those whose companies are less prepared?

Wolf Richter: The board of directors and the executive leadership need to engage in a critical conversation. The board’s responsibility is to make sure that the executive team has a plan, is prepared, and is preparing the whole organization for the eventuality of an attack. The question is not whether the attack is going to happen and how to prevent it. The real questions are, when will it come? Is the organization prepared to detect it? Is it prepared to stop it? Can it mitigate the effects and get back to normal operations as quickly as possible?

John Noble: Cybersecurity is an issue for the whole organization. Whether it is in advance of or during an incident, you should not just leave it to the chief information officer and the technical team. Leaders need to decide how to manage the tensions between usability, security, and cost, and that is very much where we need the board challenging and testing processes.

Our collection of McKinsey insights to help CEOs and directors improve board effectiveness.

Frithjof Lund: What should a board do when an incident happens? John, you have seen that up close in many situations.

John Noble: Going back to preparedness, there is a big difference between how an organization reacts if it has exercised its processes around dealing with an attack in advance and one that has not. Communication is essential. There needs to be a single version of the truth, so everybody both within and beyond the organization understands how the incident is being handled. The board has a crucial role there in supporting the executive team. As I saw during the 800-odd incidents while I was at National Cyber Security Centre, the executive teams are under tremendous pressure and they need the board’s support and guidance.

The WannaCry incident in May 2017 had a very big impact on the UK National Health Service, where I am now a nonexecutive director on the NHS Digital board. The important thing at the board level was communicating with the vast number of stakeholders across the healthcare system. I can’t say that the NHS got everything right, but it certainly learned a tremendous number of lessons. This meant that going into the pandemic, the board was much more prepared, understanding the vulnerabilities we are carrying and asking the right questions around how those are being mitigated.

Frithjof Lund: Any caveats you would highlight for boards or management teams?

John Noble: Generally, the incident response will go badly if it is just left to the CIO and the technical team. They have a critical role in resolving the incident, but the consequences go beyond the immediate damage. There will be reputational, legal, and operational issues. You need the whole senior-management team to come together.

Wolf Richter: A cyberattack tends to elevate and exacerbate tensions that already exist within an organization. I have seen things go particularly poorly in decentralized organizations with no central leadership team or where it was unclear who would lead during a crisis. When people are not used to working together, establishing trust during a crisis is extremely difficult. Finger-pointing starts, and people fight each other instead of the enemy attacking them from outside.

Frithjof Lund: How do you build cybersecurity capabilities within the organization? What are the key areas boards should focus on?

Wolf Richter: First and foremost is awareness among the whole leadership team. We often see a concerned board member and the CIO but a vast amount of ignorance in between. There should be a shared sense of urgency about this issue within the executive team and the level below. It’s about the awareness that this is not something that affects others but is an existential threat to the organization in the digital world.

The second step is to develop the concepts and tools. This is the hard, unglamorous work that has nothing to do with the folks in black hoodies building some new cybersecurity incubator. It’s about checking, which are the critical assets and processes? Are there procedures in place in case of an attack? It is important during this phase to balance the controls and red tape you put in place so it does not stifle internal innovation, which can give cybersecurity efforts a poor reputation. That’s why these initiatives should be led by people with a business mindset, not just a control or technology mindset.

That leads to the third part, which is building capabilities. This affects the whole company—the process architects and marketing and salespeople when they negotiate with customers, who more and more are asking about security features, especially in engineering and high-tech industries. All these folks need to know whom to turn to for information. When cybersecurity becomes a joint capability, the whole organization becomes more cyber resilient.

Subscribe to the Inside the Strategy Room podcast

John Noble: I would add that with ransomware, one of the big risks is around legacy equipment, which almost every organization has. It represents a vulnerability that attackers are exploiting. We have to treat legacy equipment as untrustworthy and put in place controls to manage it. But only some of those controls are technical, and the business and IT teams need to engage to see whether some of the risk can be managed in other ways. Is that equipment needed? Can it be segmented? Maybe the answer is to migrate to the cloud, which will have investment implications.

Frithjof Lund: If I am a board director concerned about cybersecurity, how do I best understand how well my organization is prepared?

Wolf Richter: There are a couple of ways to measure this. Ideally, an organization would measure the business value at risk from a given incident. However, most companies lack the transparency or a reliable model to translate and collate the business impact of an incident. Many companies turn to what is called a maturity-based approach, using outside benchmarks to assess their controls’ relative level of maturity. While that is better than not managing cybersecurity at all, sometimes it leads to the wrong incentive to simply invest in more controls.

If I was a board member, I would ask which assets or parts of the organization the cybersecurity team and the leadership team focus their attention on. Have they identified employee groups that are particularly vulnerable, such as field service agents or customer service representatives? Do they know how many people have privileged user rights? We live in an environment of scarce resources, and the executive team needs to balance the investments in cybersecurity with investments in all other parts of the business. The more specific they are in targeting initiatives toward specific systems, infrastructures, processes, and people, the better I would feel as a director.

John Noble: I think that’s so important. We cannot just rely on KPIs such as the percentage of service that has been updated. You need to have that engagement. Another way the board can get further assurance is through a third-party challenge, such as penetration testing of critical assets. When was the last penetration test carried out? What did it reveal? What recommendations have been taken forward? But before you do that, you have to identify what is critical and needs to be protected.

Frithjof Lund: Are there cybersecurity investments you see companies making that are poor uses of resources?

John Noble: The cybersecurity market is still immature, and many people are trying to sell boxes that promise to “fix” all your cybersecurity problems. There is no single solution for cybersecurity. It needs to encompass a range of measures, and the most effective measures tackle the basics that make companies vulnerable around security updates, authentication, and how you access and configure the systems.

Wolf Richter: I often see companies doing one-time capital investments but shying away from operating investments in the people. We evaluated one insurance carrier that had a beautiful security operating center, all the licenses and sensors in place, but they lacked the staff to make it run 24/7. You need to have somebody processing the information, but they had one guy who was tasked part-time with translating and sharing the data with the rest of the organization. Of course, it didn’t happen. Companies are overinvesting in some parts but not thinking about how to bring those investments into the day-to-day decision making.

John Noble: To build on that, I saw a case study presented recently by one of the leading companies in this area, around how their detection system that uses artificial intelligence had flagged a system compromise. It turned out that there was nobody to interpret this data, so despite all that investment in a very expensive and sophisticated detection system, nobody took action to prevent damage.

Board governance

A collection of insights for corporate boards, CEOs, and executives to help improve board effectiveness including: board composition and diversity, board processes, board strategy, talent and risk management, sustainability, and purpose.

Frithjof Lund: What about the capabilities within the board itself? Where are the main gaps?

John Noble: I think it’s essential that somebody on the board has cybersecurity expertise to provide a challenge for the CIO and the chief security officer [CSO]. They can also help with building up the overall board’s knowledge, because leaving cybersecurity to one person is absolutely not the answer. You need the whole of the board to engage, to bring their experience of other areas to provide the right challenge in this space.

Wolf Richter: We need to demystify cybersecurity. The typical reaction of a board that has low cybersecurity skills is, “Ooh, that is not a topic for us. Let’s call the CSO or the CIO and they can explain what is happening.” But cybersecurity is not rocket science. It is somebody tinkering with your processes, systems, assets, and data. This realization usually comes easier if a board member says, “It is our job to make sure the organization is prepared. We don’t have one guru or wizard who will fix all our problems.”

John Noble: I very much recognize that description. The organizations that are not cyberliterate want to leave it to the CIO and the CSO. But those executives want to share some of the risks and to expose the critical issues to the board, not least because these issues often require investment and difficult trade-offs between cost, usability, and security.

Frithjof Lund: John, you mentioned that even having one cyberliterate board director could help build the capabilities of the entire board. Can you elaborate?

John Noble: I have seen companies organize exercises that serve as both teaching opportunities and opportunities to highlight the risks the organization faces: giving the board a briefing on the threat and then looking at how best-in-class companies address it.

Wolf Richter: We insert cyberexercises into Silicon Valley trips we do with boards. The directors visit high-tech companies and then we show them the dark side of digitization, demonstrating what can happen if you don’t pay attention to the risks that come with the opportunities that technology provides. Getting their attention when they are doing something special outside their normal duties has proven tremendously effective in making it memorable.

Frithjof Lund: Wolf, you mentioned at the start an acceleration of attacks. What will be the big cybersecurity threats in the coming years?

Wolf Richter: We see a massive professionalization as more organized crime discovers cyberattacks as a profitable activity. You need to expect attackers to be equipped with almost military-grade weapons. The large military organizations have invested heavily in building those cybertechnologies, and we have seen more than one event where one of these military-grade attacks had leaked out onto the dark net. It’s like placing machine guns in the hands of burglars around the corner.

You need to expect attackers to be equipped with almost military-grade weapons. It’s like placing machine guns in the hands of burglars. Wolf Richter

The big difference is that these digital machine guns are tremendously hard to control and extremely easy to replicate. This is simply code—coding tools that you can copy and share with others. On the other hand, the goal of many attacks we are seeing, particularly involving ransomware, is to make money, so at some stage there is a negotiation over the ransom. That combines cybercrime with good old-fashioned crime that police and private investigators have experience with.

Much is happening on the technology side as well. The shift to the cloud poses a whole new set of risks. While, by and large, the infrastructures of the large-scale cloud providers are much more secure than what most companies can impement in their own data centers, it is naive to believe that the cloud service provider will take care of all your security needs. On the contrary: we are seeing a massive increase in breaches of cloud-hosted applications for lack of proper configuration. Your IT department needs to acquire a new set of engineering skills to manage cloud environments.

John Noble: The cloud, as you say, Wolf, is a great opportunity, in particular to move off legacy infrastructure, but issues such as authentication remain your company’s responsibility. It’s very important that the board understands that however secure cloud service providers may be, the company still holds a great deal of the risk. And, sadly, we see some very large-scale breaches as a result of people simply not understanding how the cloud works.

Frithjof Lund: Do you have any advice for board directors on how they can stay on top of the battle against cyberattackers?

Wolf Richter: Any digitization program should have a cybersecurity budget. Companies need to drive digitization in a secure manner. Haphazard digitization just creates legacy infrastructure of the future, so you need to use best practices now in terms of secure coding, secure agile, secure DevOps. Companies need to make sure there is a security mindset across the whole life cycle.

John Noble: I don’t think it is inevitable that companies will be compromised. There are opportunities to get this right and they are around recognizing the genuine threat. We are building national economies on something that is inherently unsafe—the internet—and we have to mitigate that by taking a series of measures. The board has to ensure that executive leaders are looking at both the worst-case and best-case scenarios and are prepared to make some compromises to ensure a secure infrastructure.

Explore a career with us

Boards in the time of coronavirus

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies

Security operations

CISO series: Talking cybersecurity with the board of directors

By Microsoft Secure Blog Staff
Cybersecurity policy
Microsoft Security Insights

In today’s threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a board’s confidence, you can’t wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and often—with the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Today’s boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series , where he shared several of his learnings on building a relationship with the board of directors. We’ve distilled them down to the following three best practices:

Use the board’s time effectively.
Keep the board educated on the state of cybersecurity.
Speak to the board’s top concerns.

Use the board’s time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many won’t. When it’s time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

Be concise.
Avoid technical jargon.
Provide regular updates.

This doesn’t mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the board’s top concerns

As you develop your content, keep in mind that the best way to get the board’s attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

How well is the company managing their risk posture?
What is the governance structure?
How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

Technical debt —An ongoing analysis of legacy systems and technologies and their security vulnerabilities.
Governance —An accounting of how security practices and tools measure up against the security model the company is benchmarked against.
Accrued liability —A strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyone’s Business , to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board .

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit the CISO series page.

CISO (chief information security officer) presents to the board of executives on security topics in a conference room setting.

Analyst reports

Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report

Microsoft is proud to be recognized as a Leader in The Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report.

Graphic illustrating Microsoft Incident Response.

Best practices
Incident response
Microsoft Incident Response

Patch me if you can: Cyberattack Series

The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.

Man in sweater inside a secure room who is looking at data and a geographic area displayed on a large monitor which is behind glass walls with reflections.

AI and machine learning
Microsoft Intune

Why endpoint management is key to securing an AI-powered future

With the coming wave of AI, this is precisely the time for organizations to prepare for the future. To be properly ready for AI, Zero Trust principles take on new meaning and scope. The right endpoint management strategy can help provide the broadest signal possible and make your organization more secure and productive for years to come.

Graphic depicting phishing risks and other cybersecurity threats.

Email security

Cyber Signals: Shifting tactics fuel surge in business email compromise

Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.

How to prepare company boards for new cybersecurity rules

Business People Meeting Conference Seminar Sharing Strategy Concept - cybersecurity

Corporate boards need to effectively oversee cybersecurity. Image: Freepik.

.chakra .wef-1c7l3mo{-webkit-transition:all 0.15s ease-out;transition:all 0.15s ease-out;cursor:pointer;-webkit-text-decoration:none;text-decoration:none;outline:none;color:inherit;}.chakra .wef-1c7l3mo:hover,.chakra .wef-1c7l3mo[data-hover]{-webkit-text-decoration:underline;text-decoration:underline;}.chakra .wef-1c7l3mo:focus,.chakra .wef-1c7l3mo[data-focus]{box-shadow:0 0 0 3px rgba(168,203,251,0.5);} Daniel Dobrygowski

.chakra .wef-9dduvl{margin-top:16px;margin-bottom:16px;line-height:1.388;font-size:1.25rem;}@media screen and (min-width:56.5rem){.chakra .wef-9dduvl{font-size:1.125rem;}} Explore and monitor how .chakra .wef-15eoq1r{margin-top:16px;margin-bottom:16px;line-height:1.388;font-size:1.25rem;color:#F7DB5E;}@media screen and (min-width:56.5rem){.chakra .wef-15eoq1r{font-size:1.125rem;}} Cybersecurity is affecting economies, industries and global issues

A hand holding a looking glass by a lake

.chakra .wef-1nk5u5d{margin-top:16px;margin-bottom:16px;line-height:1.388;color:#2846F8;font-size:1.25rem;}@media screen and (min-width:56.5rem){.chakra .wef-1nk5u5d{font-size:1.125rem;}} Get involved with our crowdsourced digital platform to deliver impact at scale

Stay up to date:, cybersecurity.

Listen to the article

New SEC proposed rules will significantly increase public companies’ reporting of cybersecurity breaches and oversight practices.
The World Economic Forum has published global recommendations for boards of directors to help them comply with the new rules.
The key to effective oversight will be viewing cybersecurity as a strategic issue, understanding the economics of cyber risk, and incorporating cyber risk expertise into board oversight.

Good cyber strategy is good business strategy. For years, cybersecurity professionals have understood this. More recently, leading CEOs and independent directors have acknowledged it, and now regulators are proposing new rules to establish it.

On 9 March 2022, the Security and Exchange Commission (SEC, the US regulator charged with protecting investors and capital markets), proposed new rules that would significantly increase public companies’ reporting of both cybersecurity breaches and what executive management and the board are doing to mitigate cyber risk.

Have you read?

A cyber risk balance sheet can protect your organization. here's how, can closing the cybersecurity skills gap change the world, what you need to know about cybersecurity in 2022.

Given the SEC’s regulatory footprint , this action should be a wake up call to business leaders around the world. While the proposed rules are not yet in force, the SEC’s views on cyber risk raise important considerations for boards of directors, including management reporting, organization, and even composition.

What are the new cyber risk requirements for boards?

In particular, board directors need to take note of the SEC’s proposals related to governance and board expertise. The SEC explicitly calls out cyber risk oversight as material to investors’ ability to understand a company’s strategy. Specifically, the SEC plans to ask: who on the board is informed of cyber risk issues; how they receive that information; how often the board considers cyber risk; and how cyber risk is integrated into business strategy, risk management, and financial oversight.

Potentially even more significant is the SEC’s new proposal to require disclosure of board members' expertise in cybersecurity. This new requirement will be a signal to investors around the world that how a company views cyber risk matters at the highest level. It aims to put cyber expertise on the same footing as the mastery of business strategy, financial acumen, and leadership skills that have traditionally been the focus of board director recruitment. Since the subjects being reported tend to lead in terms of company focus, reporting on board expertise in cyber is likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders going forward.

Reporting on board expertise in cyber is likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders.

These new requirements, nudging the business community toward better board reporting and greater board expertise on cyber risk issues, come at a crucial time. Currently, the pace and sophistication of cyber attacks against businesses is increasing at a breathtaking pace. IBM’s Cost of a Data Breach Report 2021 showed that last year average “data breach costs rose from $3.86 million to $4.24 million,” the highest average total cost in the report’s 17-year history.

At the same time business leaders across the world recognize, as described in the World Economic Forum’s Global Risks Report 2022 , that the risk of cybersecurity failure represents a critical global threat in both the short and long term. Yet, there is a disconnect between corporate leadership’s perception of their preparedness and resilience to cyber threats, and the facts on the ground as reported by cybersecurity professionals.

Differences in perceiving cyber resilience as a business priority. Source: Global Cybersecurity Outlook 2022, the World Economic Forum.

The Global Cybersecurity Outlook 2022 , a Forum survey, found that “while 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies, only 55% of security-focused leaders surveyed agree with the statement.” The SEC proposed rule would require companies (at least those traded on US exchanges) to shrink that gap or explain themselves to their investors.

How can boards prepare for the new cybersecurity rules?

Luckily, there is already good guidance available for companies and their directors to prepare themselves for the new rules. Distilling the best resources globally, there are clear steps that boards of directors can take so that, when the time comes, their SEC reporting reflects a forward-looking and resilient organization, led by an effective board that takes its oversight role on cyber risk seriously.

For the past six years, the Forum has published global recommendations for boards of directors that will help them comply with the new rules. As recommended in the Forum’s 2021 guidance, Principles for Board Governance of Cyber Risk (published in collaboration with the NACD and ISA), boards can effectively oversee cyber risk in six key ways:

See cybersecurity as a strategic business enabler.
Understand the economic drivers and impact of cyber risk.
Align cyber-risk management with business needs.
Ensure organizational design supports cybersecurity.
Incorporate cybersecurity expertise into board governance.
Encourage systemic resilience and collaboration.

Principles for Board Governance of Cyber Risk, Insight Report 2021. The World Economic Forum.

Three of these important principles are directly relevant to the SEC’s likely new requirements:

1. Recognize cybersecurity as a strategic business enabler

Modern boards must recognize that cyber threats are persistent and strategic enterprise risks, and that good cybersecurity directly contributes to the creation and preservation of value. This requires a mindset shift and a new understanding of cyber risk – from an IT department cost to a strategic imperative that demands board attention. This understanding will help boards ensure cyber risk reporting is frequent and detailed (and structured in the best way to ensure effective board oversight) to reflect the effective cyber risk governance that the SEC and investors are likely to expect in the new reporting rules.

The SEC also specifically requires reporting on the designation of a chief information security officer (CISO) or, as the Forum termed this role in its 2017 guidance for boards , the cyber resilience “accountable officer.” As that guidance suggests, this officer should not only have the expertise required to understand cyber risk and its company-wide implications, but also sufficient authority, resources, and access to senior leadership to successfully promote cyber resilience.

2. Understand the economic drivers and impact of cyber risk

One of the most important roles the board has in its cyber risk oversight is to review and approve the enterprise’s risk appetite. This means that the board must demand cyber risk indicators be presented in financial and economic terms so that they can be effectively compared to other risks and priorities in the company.

The World Economic Forum's Centre for Cybersecurity at the forefront of addressing global cybersecurity challenges and making the digital world safer for everyone.

Our goal is to enable secure and resilient digital and technological advancements for both individuals and organizations. As an independent and impartial platform, the Centre brings together a diverse range of experts from public and private sectors. We focus on elevating cybersecurity as a key strategic priority and drive collaborative initiatives worldwide to respond effectively to the most pressing security threats in the digital realm.

Learn more about our impact:

Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts . To date, we have trained more than 122,000 people worldwide.
Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas , electricity , manufacturing and aviation .

Want to know more about our centre’s impact or get involved? Contact us .

3. Incorporate cybersecurity expertise into board governance

The new reporting requirement on board members’ cyber expertise introduces the potential for a new type of executive to be considered for board service. However, the SEC specifically notes that “we do not intend for the identification of a cybersecurity expert on the board to decrease the duties and obligations or liability of other board members”. Knowledge of cyber risk issues is, therefore, still required of the board as a whole and cannot be foisted on a “cybersecurity board member”. On the contrary, board members with cyber expertise will be crucial partners in ensuring the continued education of the board as a whole and a key leader in holding management accountable to fully considering cyber risk.

In the end, good cyber risk oversight, such as that likely to be required by the SEC, is synonymous with good oversight in general. The SEC’s rules, while they reflect the shifting digital landscape, continue to promote the time-tested values of board governance: strategic thinking, good judgment, holding management accountable, and inclusion of relevant expertise. While the new rules will require some changes, boards already have the tools they need to make those changes effectively. Preparation for the new reporting rules is, effectively, preparation for overseeing a sustainable, resilient, and effective company in the 21 st century.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

.chakra .wef-1dtnjt5{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-flex-wrap:wrap;-ms-flex-wrap:wrap;flex-wrap:wrap;} More on Cybersecurity .chakra .wef-nr1rr4{display:-webkit-inline-box;display:-webkit-inline-flex;display:-ms-inline-flexbox;display:inline-flex;white-space:normal;vertical-align:middle;text-transform:uppercase;font-size:0.75rem;border-radius:0.25rem;font-weight:700;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;line-height:1.2;-webkit-letter-spacing:1.25px;-moz-letter-spacing:1.25px;-ms-letter-spacing:1.25px;letter-spacing:1.25px;background:none;padding:0px;color:#B3B3B3;-webkit-box-decoration-break:clone;box-decoration-break:clone;-webkit-box-decoration-break:clone;}@media screen and (min-width:37.5rem){.chakra .wef-nr1rr4{font-size:0.875rem;}}@media screen and (min-width:56.5rem){.chakra .wef-nr1rr4{font-size:1rem;}} See all

China outlines new plans for industrial cybersecurity - and other cybersecurity news to know this month

Akshay Joshi

March 21, 2024

3 trends set to drive cyberattacks and ransomware in 2024

Scott Sayce

February 22, 2024

'Operation Cronos' seizes major cybercrime group – and other cybersecurity news to know this month

February 21, 2024

LockBit: How an international operation seized control of ‘the world’s most harmful cybercrime group’

Kate Whiting

How to secure the modern cyber supply chain and surge in third-party risks amid AI automation

Anna Sarnek

February 19, 2024

What does 2024 have in store for the world of cybersecurity?

Aleksandr Yampolskiy

February 15, 2024

7 Cyber Security KPIs That Will Resonate on a Cybersecurity Dashboard for Your Board of Directors

Cybersecurity

As cyber risk increases, business leaders are seeking greater visibility and understanding of their organizations’ security programs. Their goal is to understand where cyber security risks are, where to invest resources, and how these investments are paying off.

Yet the data generated by security platforms and reporting tools is sometimes very technical in nature and doesn’t provide a complete picture of risk. With less-technically skilled individuals on the board and in the C-suite taking on increasingly significant roles in cybersecurity oversight, it’s useful to provide more straightforward, aggregated information. Cyber security dashboards are an effective way to do this, especially for your board of directors.

By boiling down volumes of technical details into easy-to-understand metrics, you can facilitate data-driven conversations and communicate the broad spectrum of cyber risk your company faces.

Since each organization’s security priorities differ, there isn't a single approach towards creating the best report for your board. But here are some of the more commonly requested and valuable cybersecurity KPIs that can be integrated into any dashboard.

1. Security rating

A security rating is a critical metric that indicates your organization’s overall security performance and supports rapid and meaningful decision making by executives.

Similar to a credit score, Bitsight Security Ratings range in value from 250 to 900, with a higher rating equaling better security performance. Your security rating also provides insight into your organization’s likelihood of experiencing a data breach – companies with a rating of 500 or lower are nearly five times more likely to be breached than those with a rating of 700 or higher.

2. Average vendor security rating over time

Bitsight Security Ratings can also be used to continuously monitor the security performance of your vendors and third parties. With this insight, you communicate any risk in your vendor portfolio to the board so they can make data-driven decisions about third-party risk management (TPRM) policies.

While individual vendor security ratings are an important metric to monitor, be sure to track the average rating of all your vendors over time so that the board can see at-a-glance whether your TPRM program is getting results.

3. Patching cadence grade

Patching cadence is a measure of how quickly critical security patches are applied and can be graded on a scale from A to F.

Patching cadence is an important KPI, since a failure to apply patches in a timely manner can expose your organization to cyber risk. When Bitsight analyzed hundreds of ransomware events, we found that organizations that delay applying patches are more likely to be victims of ransomware. In fact, organizations with a patching cadence grade of D or F are seven times more likely to experience a ransomware event compared to those with an A grade.

4. Intrusion attempts within a given period

Intrusion attempts are unauthorized efforts to access your networks and are recorded by your intrusion detection/prevention system. In addition to communicating the true risk your systems face, this KPI can indicate whether improvements in your security program are having a positive impact over time.

5. Mean time to detect/resolve

Mean time to detect (MTTD) is a measurement of how long it takes your security team to become aware of a potential security incident and is an indicator of the effectiveness of your security operations. MTTD metrics can be sourced from your security incident and event management (SIEM) platform .

Mean time to resolve (MTTR) is also tracked by your SIEM and measures the time to remediate a threat after it has been discovered. If your MTTR is trending upwards, it could indicate that the board needs to allocate more resources to the security operations center.

6. Phishing test results

Phishing emails are among the most common attack vectors for ransomware . Performing a phishing test – sending mock phishing emails to employees and seeing how they react – is one of the best ways to determine the human-related risk your organization faces, as well as the urgency of security awareness. This KPI is available from the phishing simulation solution or managed phishing service provider.

7. Instances of shadow IT

It is becoming increasingly common for hackers to exploit shadow IT , such as cloud software and external devices and technologies that are connected to a company's network without the knowledge of the IT department. Since they are not vetted through the typical onboarding process, these non-approved technologies may have security standards that fall below your normal risk thresholds.

Monitoring and reporting instances of shadow IT isn’t easy. But with Bitsight Attack Surface Analytics , you can continuously discover hidden assets and cloud instances on your network – and their inherent risk to your business. With this insight, the board of directors can develop security policies and enforcement guidelines to reign in the risk posed by shadow IT.

Choosing the right KPIs

Choosing metrics for a cyber security dashboard for the board of directors can be a high-stakes exercise. The right KPIs can help executives and board members clearly understand the risks facing your organization and gain support for security budgets and programs. On the other hand, KPIs that are too technical or confusing can derail discussions or fail to gain traction.

Focus on metrics that aren’t reliant on guesswork, are accurate, and will be understood by individuals with non-technical backgrounds. The most important KPIs should also be calculated quickly and easily, and not require hours to export, manipulate, and calculate.

The list above is just a sampling of cyber security dashboard KPIs. For a more comprehensive list, check out 16 At-a-Glance Cyber Security KPIs to Add to Your Dashboard .

Get the Weekly Cybersecurity Newsletter

Advanced cybersecurity strategies boost shareholder returns

Companies demonstrating advanced cybersecurity performance generate a shareholder return that is 372% higher than their peers with basic cybersecurity performance, according to a new report from Diligent and Bitsight.

Boards under pressure to fortify cyber oversight

The escalation in the frequency and severity of cyber incidents has positioned cyber risk as one of the foremost challenges confronting boards. With cyber threats becoming increasingly sophisticated and pervasive, boards are under pressure to effectively address cybersecurity risks to safeguard their organizations’ interests.

With projected financial losses from data breaches estimated to reach approximately USD 10.5 trillion by 2025, and new pressure from regulators like the SEC , the oversight role of the board becomes even more crucial. Boards are prioritizing robust oversight mechanisms to mitigate cyber risk and protect their organizations’ financial health and reputation.

However, the approaches boards take to address cyber risk vary, prompting questions about the effectiveness of different board governance structures and strategies.

The report also reveals that highly regulated industries, such as healthcare and financial services, have the highest cybersecurity ratings, and companies with either a specialized risk committee or audit committee achieve better cybersecurity performance compared to those with neither, with ratings of 710 and 650 respectively.

“These findings show that cybersecurity is not just an IT problem — it is an enterprise risk that has material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” said Dottie Schindlinger , Executive Director of the Diligent Institute. “With increased pressure from regulators for organizations to demonstrate how they oversee cybersecurity, now is the time for boards and leaders to build their competency around cyber risk.”

“Cybersecurity is no longer about simply mitigating risk, it’s now a key indicator of financial performance. Companies must treat cybersecurity as a cornerstone of their business strategy, guided by clear, ambitious benchmarks, and backed by the full support of their boards,” added Dr. Homaira Akbari , CEO of AKnowledge Partners, Board of Director member for Banco Santander and Landstar System and member of Bitsight’s Advisory Board.

Security rating and financial performance

Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings.

The average total shareholder return (TSR) for companies with advanced security performance ratings over a five-year and three-year period was 71% and 67%, respectively, while companies in the basic performance range delivered 37% and 14% TSR over the same time frames.

Companies with a higher number of independent directors are more likely to have advanced security ratings. About 76% of directors on the boards of these companies with advanced security ratings are independent, compared to 66% in the basic security performance category.

Specialized risk or audit committees enhance cybersecurity performance

The median cybersecurity rating for companies with specialized risk committees is 730, compared to 720 for companies with just audit committees, indicating there is not a significant difference in the ability of the audit committee to oversee cyber risk compared to a specialized risk committee.

Having a cybersecurity expert on the general board is not enough – those experts need to be directly involved with cyber oversight. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, whereas companies with cybersecurity experts on the general board, but not on either committee attain a security rating of 580.

Highly regulated industries excel in cybersecurity compared to others

The healthcare sector had the highest average security ratings overall at 730. Of the companies with advanced security performance ratings, 33% came from the financial services sector, with an average rating of 720.

By comparison, 24% of companies with basic security performance ratings came from the industrials sector, and the sector with the lowest overall performance rating was the communications sector, at 630.

“The research shows that market leading companies that prioritize cyber risk management outperform their peers,” said Derek Vadala , Chief Risk Officer, Bitsight. “This cannot be achieved without a strong understanding of cybersecurity performance and clear benchmarks shared across the executive team and board. The role of the CISO has shifted. Cyber risk is a key component of business performance.”

cybersecurity
data breach

Featured news

How to design and deliver an effective cybersecurity exercise
XZ Utils backdoor update: Which Linux distros are affected and what can you do?
Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094)
Whitepaper: Why Microsoft’s password protection is not enough
eBook: Defending the Infostealer Threat
Guide: SaaS Offboarding Checklist
How much does cloud-based identity expand your attack surface?
Finding software flaws early in the development process provides ROI

COMMENTS

Cybersecurity Presentation Guide For Security And Risk Leaders
This means that cybersecurity risk at an enterprise level is not only a board discussion, but also a personal liability for board members. "Communication and reporting is more an art than a science," Olyaei says. "Security leaders must be able to educate, assure, empower and inform the board within the specific period of time allotted to ...
What To Include In Your Cybersecurity Board Of Directors Presentation
Below are some of the topics you may want to cover in your first presentation: A high-level overview of different threat actors. Risks to your cybersecurity environment (i.e., the things you're concerned about). The type of data you think is most critical or sensitive.
PDF Effective CISO Presentations to the Board
Diligent Effective CS Presentations to the Board Top Tips & Checklist 3 Your Cybersecurity Board Presentation Checklist Effective CISO Presentations to the Board: Top Tips & Checklist Come equipped with a dashboard view "In many board meetings, we get 10 minutes of fame if we're lucky, sometime that might be even further reduced
Presenting to BOD
Vietnam. Virgin Islands (British) Virgin Islands (U.S.) Wallis And Futuna Islands. Western Sahara. Yemen. Zambia. Zimbabwe. Download Presenting to BOD, built by SANS Instructor Lance Spitzner, a slide deck on how to prepare for and present to Board of Directors on Cybersecurity.
12 tips for effectively presenting cybersecurity to the board
3. Be transparent. Assessments shouldn't obfuscate the risks to the enterprise, experts say, so CISOs should be upfront and present relevant information in a straightforward, accessible manner ...
CISO's Guide to Presenting Cybersecurity to Board Directors
Effective communication is a crucial aspect of delivering a successful cybersecurity presentation to the board of directors. By considering the following strategies, you can ensure that your message is both clear and impactful. Using Clear and Concise Language. It is essential to avoid over-technical security language when speaking with the board.
6 Slides Every CISO Should Use in Their Board Presentation
Sponsorships Available. 1. Level the conversation. Set expectations for your board and overview the conversation. The goal of the next 15 - 20 minutes will be to establish where their enterprise is on cyber risk, where it should be, and how it will get there. 2. Quantify the cyber risk spectrum. Provide a bar chart with breach likelihood for ...
CISO Board Presentations: 9 Key Slides You Need
There are 4 key parts to your board presentation: 1. Summarize the last meeting and refresh your Board about your cybersecurity framework. Summarize the takeaways from the previous Board presentation. Follow-up on unresolved issues or any unanswered questions from the previous meeting. Refresh the Board on your security framework. 2.
CISO's Guide to Presenting Cybersecurity to Board Directors
Successfully delivering a cybersecurity presentation to the board of directors relies heavily on effective communication. To ensure a powerful and easily. Successfully delivering a cybersecurity presentation to the board of directors relies heavily on effective communication. ... Threat Assessment & Recovery Services. Cyber Security Assessment ...
How to present security to the board
When preparing that key presentation, CSOs might consider integrating the following 10 elements to help manage that all-important, ever-worrisome matter of presenting "Security" in a Board ...
Presenting the Business Case for Security to Your Board of Directors
Communicating security risk in business language while demonstrating that security is a business driver helps build confidence among the board of directors and executive leadership. Having these ...
How to present cybersecurity programs better to the board of directors
01:45 Making the board recognize cyber risks; 05:30 Insider threats to intellectual property; 08:33 Preparing for board presentations; 11:50 Most commonly asked questions by board members; 15:40 Convincing metrics for the board; 20:00 Challenges in the board room; 23:47 Overcoming challenges in the board room; 27:05 Collaboration outside the board room; 32:45 Advice for CISOs
The CISO's Guide to Reporting Cybersecurity to the Board
SecurityScorecard enables effective cybersecurity KPIs for the Board. SecurityScorecard provides easy-to-read A-F ratings across ten groups of risk factors including DNS health, IP reputation, web application security, network security, leaked credentials, hacker chatter, endpoint security, and patching cadence.
How to Communicate Cybersecurity to the Board of Directors
Strategies for communicating cybersecurity to the board. For starters, he says there are three key things to keep in mind: 1. Boards can't improve what they don't understand. 2. You can learn to speak their language. 3. You can unlock board engagement and better decision making with an easy to understand framework and related benchmarks.
How boards can lead cybersecurity
The board agenda has been crowded since the start of the pandemic, and many issues have acquired new urgency. In this episode of the Inside the Strategy Room podcast, Frithjof Lund, the leader of our board services work, speaks with two cybersecurity experts about how boards of directors should help their organizations ensure they are prepared for potential cyberattacks.
How CISOs can ace board presentations
For example, a CISO may have 30 minutes with the board committee and only 20 minutes with the full board. Format: How CISOs choose to present the materials to the board. The format of an update is usually a brief summary with an appendix. For example, CISOs may provide the board with a three-page summary that has a 30-page appendix including ...
CISO series: Talking cybersecurity with the board of directors
Keep the board educated on the state of cybersecurity. Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure.
How to prepare company boards for new cybersecurity rules
On 9 March 2022, the Security and Exchange Commission (SEC, the US regulator charged with protecting investors and capital markets), proposed new rules that would significantly increase public companies' reporting of both cybersecurity breaches and what executive management and the board are doing to mitigate cyber risk.
Educating Your Board of Directors on Cybersecurity
Educating board members on cybersecurity issues. However, many board members do not have an IT background or experience with cybersecurity. The survey found that less than 9% of an average board ...
7 KPIs For Your Board of Directors Cybersecurity Dashboard
With this insight, the board of directors can develop security policies and enforcement guidelines to reign in the risk posed by shadow IT. Choosing the right KPIs. Choosing metrics for a cyber security dashboard for the board of directors can be a high-stakes exercise. The right KPIs can help executives and board members clearly understand the ...
Boards need to brush up on cybersecurity governance, survey finds
Boards looking to improve their response to cyber incidents need to be willing to invest in ongoing continuing education for board directors and set aside a certain amount of money for it, according to Clyde. They also need to decide if there is an expectation for directors to complete relevant training. While most boards say that at least once ...
PDF Cyber security what does it mean for the board?
1. Digital trust: A shared responsibility. Digital trust is finding its way on to board agendas as privacy, security and ethics debates gain momentum — partly driven by regulation and partly by public opinion. The future success of any digitally enabled business is built on digital trust.
Advanced cybersecurity strategies boost shareholder returns
Security rating and financial performance. Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings. The ...
News Hour
news hour | march 24, 2024 | live now

Exploring SASE and SSE Roadmaps with the Two Taylor Swifts of…

CISO’s Guide to Presenting Cybersecurity to Board Directors

Understanding the Board’s Perspective

Developing a Clear Cybersecurity Strategy

Aligning with Business Objectives

Identifying Key Cyber Risks

Setting Priorities for Investment

Effective Communication with the Board

Using Clear and Concise Language

Visualizing Cybersecurity Data

Connecting Cyber Risks to Business Impact

Building a Cybersecurity Culture

Promoting Employee Awareness

Leadership Involvement

Continuous Improvement

Measuring Success

Using Key Performance Indicators

Conducting Regular Reviews

RELATED ARTICLES MORE FROM AUTHOR

2024 Security Service Edge Report [HPE]

2024 VPN Risk Report [HPE]

2024 Insider Threat Report [Securonix]

2023 Content Security Report [Votiro]

EDITOR PICKS

CISO Board Presentations: 9 Key Slides You Need

4 Key Sections In Your Board Presentations

1. Summarize the last meeting and refresh your Board about your cybersecurity framework

2. Present your risk dashboard and review events and changes in risk landscape

3. Review progress against your strategic Infosec roadmap

4. Review any special topic

“Automating” your board-level presentations

CISO’s Guide to Presenting Cybersecurity to Board Directors

Effective Communication with the Board

Using Clear and Concise Language

Visualizing Cybersecurity Data

Connecting Cyber Risks to Business Impact

Related Posts

Leave a Reply Cancel reply

Our Network

Presenting the Business Case for Security to Your Board of Directors

Related content

Recruit for diversity: Practical ways to remove bias from the hiring process

The CSO guide to top security conferences

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

LockBit feud with law enforcement feels like a TV drama

How to present cybersecurity programs better to the board of directors

What you’ll learn:

Leave a comment

Related Articles

IT Security

Cut through the hype around Zero Trust

The tapestry of trust: Weaving identity fabric into enterprise security

How to Communicate Cybersecurity to the Board of Directors

The board wants to know more about cybersecurity

Cybersecurity reporting, each board is different

Strategies for communicating cybersecurity to the board

Turning your cybersecurity mission into a story for the board

On-demand cybersecurity webinar: presenting to the board

Malvertising Is a Cybercrime Heavyweight, Not an Underdog

Hong Kong Clerk Defrauded of $25 Million in Sophisticated Deepfake Scam

Convergence: Putting the Responsibility Where It Should Lie

Subscribe to Email Updates

Boards and cybersecurity

Our collection of McKinsey insights to help CEOs and directors improve board effectiveness.

Subscribe to the Inside the Strategy Room podcast

Board governance

Explore a career with us

Boards in the time of coronavirus

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies

CISO series: Talking cybersecurity with the board of directors

Use the board’s time effectively

Keep the board educated on the state of cybersecurity

Speak to the board’s top concerns

Related Posts

Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report

Patch me if you can: Cyberattack Series